Using BIND to enforce Google SafeSearch…



  • Does anybody know how to configure BIND on pfSense to enforce Google SafeSeach?

    From Google support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">:
    "Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com".

    Thanks,
    Steve</https:>



  • Got something to work, by…

    1. Creating a View with Recursion=Yes, match-clients=any, allow-recursion=any

    2. Created a Zones for google.com with:
            Zone Type        = Master
            View                = the name given to the view above.
            Name Server    = the name of the pfSense host
            Base Domain IP = 127.0.0.1
            allow-query      = any
            Domain Record  = www - CNAME - forcesafesearch.google.com

    This seems to work for www.google.com, if I ping www.google.com it returns the address of forcesafesearch.google.com (216.239.38.120)...

    Does this mean I have to add a Zone entry for all of the possible Google domains or is there a more efficient way to configure it?



  • Got it working for all 193 Google domains, you can find them all here <https: www.google.com="" supported_domains="">…

    Also this Google Support page <https: support.google.com="" websearch="" answer="" 186669?hl="en">.

    What I did:

    1. Delete the previously created View and Zone.

    2. In the Custom Options section of the Settings tab add the line -
          response-policy { zone "rpz-google"; };

    3. In the Global Settings section of the Settings tab add the lines -
          zone "rpz-google" {
              type master;
              file "master/rpz-google.DB";
              allow-query {none;};
          };

    4. ssh to psSense open a shell and 'cd /cf/named/etc/namedb/master' then create a zone file rpz-google.DB

    The zone file looks a bit like this:


    $TTL 128
    ;
    $ORIGIN rpz-google.

    ; Database file rpz-google.DB for rpz-google zone.

    rpz-google.      IN  SOA localhost.        root.localhost. (
                    2474766874 ; serial
                    1d ; refresh
                    2h ; retry
                    4w ; expire
                    1h ; default_ttl
                    )

    ;
    ; Zone Records
    ; Google SafeSearch
    @        IN NS  localhost.
    google.com              CNAME  forcesafesearch.google.com.
    www.google.com      CNAME  forcesafesearch.google.com.
    google.com.uk        CNAME  forcesafesearch.google.com.
    www.google.co.uk    CNAME  forcesafesearch.google.com.

    ; pattern repeats for the other 191 domains...


    Things to do, make it work with Views and other Zones...

    Any feedback appreciated,
    Steve</https:></https:>



  • @sgoldtho:

    The zone file looks a bit like this:

    $TTL 128
    ;
    $ORIGIN rpz-google.
    
    ; Database file rpz-google.DB for rpz-google zone.
    
    rpz-google.      IN  SOA localhost.         root.localhost. (
                    2474766874 ; serial
                    1d ; refresh
                    2h ; retry
                    4w ; expire
                    1h ; default_ttl
                    )
    
    ;
    ; Zone Records
    ; Google SafeSearch
    @        IN NS  localhost.
    google.com              CNAME   forcesafesearch.google.com.
    www.google.com      CNAME   forcesafesearch.google.com.
    google.com.uk         CNAME   forcesafesearch.google.com.
    www.google.co.uk    CNAME   forcesafesearch.google.com.
    
    ; pattern repeats for the other 191 domains…
    
    

    If you're working with a reponse policy zone, you can use an asterisk for wildcard. *.google.com, etc.


Log in to reply